forked from fluidattacks/makes
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat(build): fluidattacks#1064 arm64 container
- Add arm64 container job - Add amd64 container job - Modularize arch on container build - Temporarily disable doas as it is broken on cross compilation Signed-off-by: Daniel Salazar <podany270895@gmail.com>
- Loading branch information
Showing
15 changed files
with
280 additions
and
1,053 deletions.
There are no files selected for viewing
Large diffs are not rendered by default.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
{ | ||
makesSrc = ./.; | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,19 +1,27 @@ | ||
{ | ||
__nixpkgs__, | ||
arch ? "native", | ||
inputs, | ||
makeSearchPaths, | ||
outputs, | ||
... | ||
}: | ||
makeSearchPaths { | ||
bin = [ | ||
__nixpkgs__.cachix | ||
__nixpkgs__.git | ||
__nixpkgs__.gnutar | ||
__nixpkgs__.gzip | ||
__nixpkgs__.nixStable | ||
__nixpkgs__.openssh | ||
]; | ||
source = [ | ||
outputs."/cli/env/runtime/pypi" | ||
]; | ||
} | ||
}: let | ||
pkgs = inputs.architectures.${arch}.pkgs; | ||
pkgsCli = inputs.architectures.${arch}.pkgsCli; | ||
in | ||
makeSearchPaths { | ||
bin = [ | ||
#pkgs.cachix | ||
pkgs.git | ||
pkgs.gnutar | ||
pkgs.gzip | ||
pkgs.nixStable | ||
pkgs.openssh | ||
( | ||
pkgsCli.python310.withPackages ( | ||
ps: [ | ||
ps.rich | ||
ps.textual | ||
] | ||
) | ||
) | ||
]; | ||
} |
This file was deleted.
Oops, something went wrong.
This file was deleted.
Oops, something went wrong.
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
{ | ||
inputs, | ||
makeScript, | ||
makeSearchPaths, | ||
projectPath, | ||
... | ||
}: | ||
import (projectPath "/makes/container-image") { | ||
arch = "native"; | ||
inherit inputs; | ||
inherit makeScript; | ||
inherit makeSearchPaths; | ||
inherit projectPath; | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
{ | ||
inputs, | ||
makeScript, | ||
makeSearchPaths, | ||
projectPath, | ||
... | ||
}: | ||
import (projectPath "/makes/container-image") { | ||
arch = "arm64"; | ||
inherit inputs; | ||
inherit makeScript; | ||
inherit makeSearchPaths; | ||
inherit projectPath; | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,157 @@ | ||
{ | ||
arch ? "native", | ||
inputs, | ||
makeScript, | ||
makeSearchPaths, | ||
projectPath, | ||
}: let | ||
pkgs = inputs.architectures.${arch}.pkgs; | ||
makes = import (projectPath "/makes/main.nix") { | ||
inherit arch; | ||
inherit inputs; | ||
inherit makeScript; | ||
inherit makeSearchPaths; | ||
inherit projectPath; | ||
}; | ||
in | ||
pkgs.dockerTools.buildImage { | ||
config = { | ||
Env = [ | ||
"HOME=/home/root" | ||
"PATH=/bin:/nix/var/nix/profiles/default/bin" | ||
"USER=root" | ||
|
||
# Certificate authorities | ||
"GIT_SSL_CAINFO=/etc/ssl/certs/ca-bundle.crt" | ||
"NIX_SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt" | ||
"SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt" | ||
"SYSTEM_CERTIFICATE_PATH=/etc/ssl/certs/ca-bundle.crt" | ||
]; | ||
User = "root:root"; | ||
WorkingDir = "/working-dir"; | ||
}; | ||
name = "container-image"; | ||
tag = "latest"; | ||
copyToRoot = pkgs.buildEnv { | ||
name = "root-file-system"; | ||
ignoreCollisions = true; | ||
paths = [ | ||
# Basic dependencies | ||
pkgs.bashInteractive | ||
pkgs.cacert | ||
pkgs.coreutils | ||
pkgs.git | ||
pkgs.gnugrep | ||
pkgs.gnutar | ||
pkgs.gzip | ||
pkgs.nix | ||
|
||
# Add /usr/bin/env pointing to /bin/env | ||
(pkgs.runCommand "user-bin-env" {} '' | ||
mkdir -p $out/usr/bin | ||
ln -s $(command -v env) $out/usr/bin/env | ||
'') | ||
|
||
# Create home directories | ||
(pkgs.runCommand "home" {} '' | ||
mkdir -p $out/home/makes | ||
mkdir -p $out/home/root | ||
'') | ||
# Create empty temporary directories | ||
(pkgs.runCommand "tmp" {} '' | ||
mkdir -p $out/tmp | ||
mkdir -p $out/var/tmp | ||
'') | ||
# Create the working directory | ||
(pkgs.runCommand "working-directory" {} '' | ||
mkdir -p $out/working-dir | ||
'') | ||
|
||
# Configure Nix | ||
(pkgs.writeTextDir "home/makes/.config/nix/nix.conf" '' | ||
build-users-group = | ||
'') | ||
(pkgs.writeTextDir "home/root/.config/nix/nix.conf" '' | ||
build-users-group = | ||
'') | ||
(pkgs.writeTextDir "etc/nix/nix.conf" '' | ||
build-users-group = | ||
'') | ||
|
||
# Configure SSH | ||
(pkgs.writeTextDir "home/makes/.ssh/config" '' | ||
Host * | ||
StrictHostKeyChecking no | ||
'') | ||
(pkgs.writeTextDir "home/root/.ssh/config" '' | ||
Host * | ||
StrictHostKeyChecking no | ||
'') | ||
|
||
# Configure doas | ||
(pkgs.writeTextDir "etc/doas.conf" '' | ||
permit nopass keepenv root as makes | ||
'') | ||
|
||
# Add 3 groups | ||
(pkgs.writeTextDir "etc/group" '' | ||
root:x:0: | ||
makes:x:48: | ||
nobody:x:65534: | ||
'') | ||
(pkgs.writeTextDir "etc/gshadow" '' | ||
root:*:: | ||
makes:*:: | ||
nobody:*:: | ||
'') | ||
|
||
# Add 3 users, mapped to groups with their own name | ||
(pkgs.writeTextDir "etc/passwd" '' | ||
root:x:0:0:root:/home/root:/bin/bash | ||
makes:x:48:48:makes:/home/makes:/bin/bash | ||
nobody:x:65534:65534:nobody:/homeless:/bin/false | ||
'') | ||
(pkgs.writeTextDir "etc/shadow" '' | ||
root:!x::::::: | ||
makes:!x::::::: | ||
nobody:!x::::::: | ||
'') | ||
|
||
# Miscelaneous configurations | ||
(pkgs.writeTextDir "etc/login.defs" "") | ||
(pkgs.writeTextDir "etc/nsswitch.conf" '' | ||
hosts: dns files | ||
'') | ||
(pkgs.writeTextDir "etc/pam.d/other" '' | ||
account sufficient pam_unix.so | ||
auth sufficient pam_rootok.so | ||
password requisite pam_unix.so nullok sha512 | ||
session required pam_unix.so | ||
'') | ||
|
||
# Add Makes: | ||
# - By default, it runs as root (uid 0). | ||
# - If `MAKES_NON_ROOT` is in the environment and non-empty, | ||
# makes will run as the makes user (uid > 0). | ||
(pkgs.writeShellScriptBin "m" '' | ||
if test -z "''${MAKES_NON_ROOT:-}"; then | ||
${makes}/bin/m "$@" | ||
else | ||
echo Using feature flag: MAKES_NON_ROOT | ||
set -x | ||
mkdir -p /nix/var/nix | ||
chmod u+w /nix/store | ||
chown makes:makes --recursive /nix | ||
chown root:root $(realpath /etc/doas.conf) | ||
chmod u+w /home/makes /tmp /working-dir | ||
chown makes:makes /home/makes /tmp /working-dir | ||
chown makes:makes --recursive "$PWD" | ||
${pkgs.doas}/bin/doas -u makes ${makes}/bin/m "$@" | ||
fi | ||
'') | ||
]; | ||
}; | ||
} |
Oops, something went wrong.